{
	"id": "457a819c-74cf-4d4a-b9b6-46992d01daf7",
	"created_at": "2026-04-06T00:22:17.61687Z",
	"updated_at": "2026-04-10T13:12:13.551903Z",
	"deleted_at": null,
	"sha1_hash": "5ada17863d91178cc7273e0e3a5b2971f476be91",
	"title": "qakbot_technical_analysis_report.pdf",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 33192,
	"plain_text": "qakbot_technical_analysis_report.pdf\r\nArchived: 2026-04-05 15:50:01 UTC\r\nSida 3 av 21\r\n2\r\nIntroduction\r\nQakbot, which was first detected in 2007, is also known as QBOT.\r\nThe main purpose of the QAKBOT family, is to steal credentials and\r\nother financial information about bank accounts. The QAKBOT family\r\nhas become an effective cyberattack tool with data theft in recent\r\nyears. This is how today's most dangerous cyber attacks can be carried\r\nout. Prolock can make banking transactions via IP address by remotely\r\nconnecting to ransomware and Windows system. It can work and\r\ndevelop acting worm-like, create backdoors on machines, and record\r\nuser input outputs.\r\nResurrected by other malware such as EMOTET, QAKBOT has\r\nbeen found to have been distributed through a spam campaign using\r\nspam or hidden emails. These cyberattacks primarily redirect to a\r\nmalicious web page and use an Excel document as a dropper. Later,\r\nQAKBOT downloads the main malicious file with the help of macro\r\ncodes in the excel document, which is the dropper. Droppers are a\r\nmalicious component that works to download the actual ransomware.\r\nDroppers leaves a copy of itself on the machine and creates a\r\nscheduled task for autorun recording and persistence. It also injects\r\nitself into the explorer.exe process.\r\nFirst Look\r\nhttps://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view\r\nPage 1 of 2\n\nFirst, it starts with specialized phishing e-mail. The content of the\r\nmail is an Office document. The macros of office documents is written\r\nin VBScript. VBScript, modelled by Microsoft on Visual Basic, represents\r\nan Active Scripting language and downloaded contents enables\r\ncommunication with the server controlled by cybercriminals and\r\ncommand transmission.\r\nSource: https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view\r\nhttps://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view"
	],
	"report_names": [
		"view"
	],
	"threat_actors": [],
	"ts_created_at": 1775434937,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5ada17863d91178cc7273e0e3a5b2971f476be91.pdf",
		"text": "https://archive.orkl.eu/5ada17863d91178cc7273e0e3a5b2971f476be91.txt",
		"img": "https://archive.orkl.eu/5ada17863d91178cc7273e0e3a5b2971f476be91.jpg"
	}
}